NEWS ANALYSIS: There is no single place where security responsibility resides. Carriers, infrastructure providers and customers should take some responsibility.
FORT LAUDERDALE, Fla.—The young woman in the brown uniform looked at me suspiciously. “I need some photo identification,” she said. I glanced at her shoulder patch showing that she was with U.S. Customs and Border Protection and handed over my passport. Once she saw the document and confirmed (apparently to her disappointment) that I did, indeed, look like my photo, she motioned me through the gate in the security fence.
This was the first time I could remember when I’d had to get past customs just to enter a convention center, but I decided that it must mean that the people putting on the Competitive Carriers Association annual meeting took security seriously. This was a hopeful sign, since I was presenting a panel discussion on security for mobile devices. Later, I would find out that the presence of the Border Patrol was unrelated to the conference—the city of Fort Lauderdale had changed something about entering their port, thus the security.
The topic of the panel discussion I was moderating was “Security Works Both Ways: Helping Your Customer Stay Secure,” which was intended to cover how carriers and providers of infrastructure need to work with their end users because security is a common requirement. This panel turned out to be remarkable for two reasons. The first was that we stayed on topic, which is unusual.
The folks who came to see what we had to say were, in fact, very interested in the issue because it turns out that security issues that reach their customers also affect the companies. Some of the effects can be significant. For example, if malware makes a device on their network turn an endpoint into a bot network client, the carrier’s network could suffer from the vast traffic load, but also by having its traffic to other networks blocked.

But, of course, things like malware aren’t the only problem, as one panelist, my friend David Gewirtz, said when he pointed out the second remarkable thing. “Never underestimate the efforts of your users to overcome your security,” he said. Gewirtz then told about one instance in which one of the first things a user had done, when issued a smartphone, was to try to eliminate all of the security protection.

Fortunately, not every end user actively works to defeat your security, but that doesn’t mean security of mobile devices is simple or easy. In fact, the nature of the devices, that they’re inherently in an insecure environment, adds to the complexity of their security overhead. Not only do you have to worry about malware and hackers, but you also have to worry about them being lost.
The security issues go on from there. One audience member talked about a security problem that presented unexpected challenges to the small rural carrier for which she worked. There, the problem was that someone in Jamaica was calling her customers and leaving messages promising big rewards and then leaving a phone number.
When the customer called back, it appeared to be just another call from an unfamiliar area code, but what actually happened was that the particular area code was part of a scam. Calls to it seemed to be calls within the United States, but instead were to a specific area code in Jamaica where long distance calls from the states were charged at a rate of hundreds of dollars per minute. Those customers obviously wanted their carrier to help them cover the costs, creating a financial risk to the carrier.

Leave a Reply